yes, it is possible and I have done that. You need to install the subCA. I had my CA on the domain controller and my subCA on the SCCM SP1 server and the corresponding templates created with site server full control permission. in hte OOB management component you need to point to the CA for the web server template. I have not done issuing internal provision certificate from SubCA but I would think that also should work.